If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Part one of an ASM ghostwriting PoC script

I'd like to start off by apologizing in advance. This is posted in the experts section for a reason. This is not a script for people who want to zOMG hax0R things. This is for people who appreciate hacking.
While reading blog posts about AV bypass, one method described was ASM ghostwriting. I thought it was a really cool method, and wanted to look beyond static string replacement in the ASM code. So I came up with several ideas.

The first part of my script (this part) is a parser. It will read in an ASM.s file, and output the stack and reg values acc. to its parser. Please read the readme for a more full explanation.

The second two parts will be added to the main part, hopefully, and will be ASM generators/obfuscators and a static string replacement method.

Again, I apologize for sounding like a jerk, but since this is made for people who write shellcode, and not just disassemble a metasploit payload, it *ONLY* reads in files of *VALID* ASM code. Please see the readme for what is considered valid.

I am posting it here half-done for several reasons:
1) Find any bugs.
2) Comment about the script, and functionality you want added.
3) Stoke people's interest, so I can gauge how much work I should be putting into it.
4) Get people on the team to help me
The help necessary is to come up with an engine of some sort to generate ASM code based on a saved framestate. Again, see the readme...

I've included the script, the readme, and some test shellcode files. One will obviously fail.

Last edited by ShadowMaster; 08-15-2012 at 03:46 PM.

World Domination is such an ugly phrase. I prefer the term World Optimization.

Re: Part one of an ASM ghostwriting PoC script

Thanks for the input, that's a cool idea. I was thinking something like this. As opposed to having to know all the byte lengths of the assembled instructions, I would implement two different arrays or hash tables.
Since all ASM code is funneled to parsecmd to be processed, if I read the file into a hash table or array, then jump on cmd to a specific element inside that table(meaning, just pass the cmd that comes after the label to the sub), it can be done. It would take some working out, but I feel that that is the right path.

Edit:
Meaning something like this:
1) Add a new flag to the script called $currentline
2) Read in the ASM file of valid lines only( including labels) to an array called @LINES
3) Create a hash table named #POINTERS (or something) with the same number of elements as the @LINES array, and whenever a label is read in, the key name is LABEL, otherwise the key name is line(currline)
3a) the values of each line would be incremented by one
4) Instead of the current loop to read in cmds, switch it to a do loop, and send @LINES($currentline) to parsecmd.
5) If a jmp is hit with a matching flag, then set $currentline to be #POINTERS({LABEL})'s value. The do loop would automatically be updated, and the code would continue as normal.

Tell me what you think about this...

Thanks for the input, and let me know what you think of the rest of the script.

Last edited by ShadowMaster; 08-11-2012 at 09:37 PM.

World Domination is such an ugly phrase. I prefer the term World Optimization.

Re: Part one of an ASM ghostwriting PoC script

Its a good base, was thinking you've keeping track of the registers, you could have a brute force part that takes from one line forward ten say(auto or manual), and get it to generate different combinations to make the value the same. 1) Get current line 2)Save regs to temp 3)process lines 4)get current line 5)save regs to temp1 6)loop 7)bruteforce and/or/xor/not/shr/ror 8)compare to save regs temp/temp1 9)break Maybe a database of micro function, connect/sendmessage etc and one instruction like connect(123) with 123 the rand function to the bruteforce. Sorry more ideas than help

Re: Part one of an ASM ghostwriting PoC script

These all sound like good ideas, and any idea is appreciated. But I'm not sure what you mean with this? Is this for the ASM generator? for the parser? for the line-by-line substitution? I'm interested in understanding, please explain more in depth.

World Domination is such an ugly phrase. I prefer the term World Optimization.

Re: Part one of an ASM ghostwriting PoC script

The line by line substation, say you have xor eax, eax; push eax push eax inc eax push eax connect The brute force part will workout that it needs two push of 0x00 and one of 0x01, and will create a combination that will make the same thing, like add 0x80..80 , add 80..80 push eax

Re: Part one of an ASM ghostwriting PoC script

Interesting. My thoughts were something along those lines for the ASM generating engine. For the Line-by-line, I was thinking something like this:
Every time the code found an register clearing XOR, it would replace it with something equivalent in result but not in action.
Meaning:
XOR EAX, EAX would be changed into something like this:

These would all be community created modules that would do the exact same thing as the line replaced, only with multiple lines, and *ONLY* affect the registers that are affected in the lines. All other registers would remain the same.
Also the stack would remain the same.

I'm working on implementing JMP's and CALL's, CMP's and TEST's, but since I have no definitive list of which instructions set which flags when, and which JMP's and CALL's unset which flags when, it is slow going for now... Any help in that area is appreciated as well.

World Domination is such an ugly phrase. I prefer the term World Optimization.